Attack Origin: Does it Even Matter
January 20, 2015 | Security and Risk | John Worrall
It’s been an exciting month keeping up with the latest cyber security breach! If you aren’t caught up, listen to this great recap by NPR. And CyberArk founder and CEO, Udi Mokady, joined the CNBC’s Squawk Box to point out that that the most important lesson from the Sony breach is that protecting the inside is what really matters. The news cycle is focused on who perpetrated the attack and what the US government might do in reaction, however, this doesn’t help companies become more secure.
As we learn from this and other recent attacks (on entertainment, financial, retail and other industries) it has become next to impossible for an organization to know why and by whom it may be attacked. Is it a criminal gang looking for financial gains or a nation state looking for a political gain? Or is it an adversary looking to use the organization as a stepping stone for an attack on a partner or another connected organization? An activist looking to discredit an organization?
Who’s responsible for an attack has become more difficult to pinpoint as tools and techniques are widely distributed, shared, studied, used and reused. Organizations no longer know who the attackers are or why they are attacked. Will it be the content of a movie or a comment from an executive that sets off a nightmare situation for a company?
Thus, the security of the organization must focus on the inside. All targeted attacks make use of the same techniques to operate inside the network. Hijack credentials, gain control of privileged accounts and use them to move around, undetected, throughout the organization – this is at the heart of every attack. If you don’t secure your privileged accounts, you become a sitting duck just waiting for the next adversary who decides to make an example of you…
Companies must take recent lessons to heart or face the consequences.
Not Who….How: From a security perspective, the Sony attack is a clear demonstration that it no longer matters WHO is attacking an organization, but HOW they did it. The lesson from this breach is more about the low-level security practices employed by companies and how this has created a frightening new reality in which attackers are able to commandeer and control a company’s infrastructure – no matter where the attack originates.
Sony is Snowden…Snowden is Sony: At its core, the Sony breach is very similar to other massive attacks/breaches – including the retail breaches that dominated headlines in 2014 and even Edward Snowden and the NSA. While the outcomes were different, each of these attacks required the theft and exploitation of administrative and privileged credentials, giving the attackers full control of the targeted company’s infrastructure.
Motivations are Meaningless: The line between nation-state and criminal gangs are increasingly blurred. The attacks once limited to nation-funded groups are now widely re-used. FinFisher, Gamma, and Hacking Team are examples of commercial, “for sale” targeted attack capabilities used by nation states. But ultimately, the motivation is meaningless. Today, it was a movie that was the reason. (Or was it?) Is tomorrow’s attack because of a newspaper article? It doesn’t matter. What matters is how the attacks are carried out. This is the key to stopping them.
Why Every Organization is Vulnerable: We conducted an analysis of recent major attacks with forensics experts from companies including Mandiant, Deloitte, Verizon and others that showed cyber-attackers have broadened their targets, pursuing companies of all sizes, in all industries. Why? Every company is connected to other companies by both general business and even IT systems themselves (think of the supply chain in any industry). One company might simply be a doorway into another. . As more businesses fall victim to devastating attacks, the more they need security that focuses on the securing the inside of the network. It’s time to focus on what can have a positive impact on security and spend less energy trying to uncover where the attack may have originated.